Thieves steal more PC Optimum points after Loblaws fixes password glitch

After getting hit by points theft multiple times, some PC Optimum members are questioning a fix Loblaws says it has made to improve the security of its rewards program. 

“I do not believe they have fixed anything,” said Shawn Nicholson in Halifax. On Wednesday, a thief infiltrated his PC Optimum online account for the third time in less than a month, this time stealing 150,000 points — worth $150.

“I’m beyond the point of frustration,” he said.

CBC News previously interviewed Nicholson on April 9, after he was hit by points theft a second time, despite reporting his case and beefing up his password.

PC Optimum member Shawn Nicholson of Halifax has been robbed of points in three separate incidents. (Submitted by Shawn Nicholson)

At the time, Loblaws said it was working to fix a glitch in the program’s system that allowed a thief to stay in a member’s online account, even after the initial theft was discovered and password reset. By April 13, Loblaws said it had resolved the problem.

However, five days later on April 18, Nicholson’s thief struck a third time, spending most of his points at the same location as before — a Loblaws-owned Maxi store near Montreal. 

“I have zero confidence in the security of my account,” he said.

Is it fixed?

CBC News contacted Loblaws about Nicholson’s third theft. The retailer said that the underlying problem with the password resets has been “locked down,” but that addressing all the thefts will take time. 

“The issue has been identified and resolved, but involves a manual process at our end, once we’ve been in contact with the customer,” said spokesperson Catherine Thomas in an email.

Nicholson says Loblaws did contact him last week and returned his 140,000 points from the first two thefts.

“I thought everything was resolved and fine,” he said.

But following the third theft, Nicholson says he’ll only feel safe once PC Optimum deletes his account and sets him up with a new one.

“I don’t think changing passwords or emails or anything of that nature will solve the problem.”

Since Loblaws launched its new PC Optimum rewards program on Feb. 1, CBC News has heard from more than 50 members complaining of points theft and sometimes long waits to get their issues addressed.

Loblaws said the thefts have only affected “a very small subset” of the program’s more than nine million members.

The retailer said the PC Optimum program is secure, members’ information is safe and that stolen points will be restored.

But following repeat thefts, some members question if Loblaws is doing enough.

“The system is far too vulnerable,” said PC Optimum member Joel Du Broy in Ottawa.

Police on the case

According to his account records, on April 12 someone spent a whopping 1.6 million of Du Broy’s points — worth $1,600 — mainly at Loblaws-owned Pharmaprix stores in Montreal.

“I was really upset,” he said. “It’s a bit hard to sleep at night when you have that amount of money missing.”

On April 13 — the day Loblaws confirmed it had resolved its password reset problem — Du Broy says he reported the theft, and a PC Optimum agent told him to change his password. He says he did, along with changing the email address associated with his account.

The next day, however, another 350,000 points went missing from his account, spent at one of the same Pharmaprix stores.

A PC Optimum member shows the points that disappeared from her account and were spent in another province. (CBC)

Du Broy says he actually saw the points disappear from his account in real time while discussing the initial theft with PC Optimum.

“I was on the phone with customer service as I was being looted,” he said. “My jaw just dropped.”

Du Broy reported the thefts to the Ottawa police, who are now investigating.

In order to prevent future points thefts, he believes Loblaws should implement tougher security measures such as a two-step verification process when members spend more than $100 worth of points in a store, and when someone new joins a member’s account. 

PC Optimum offers the joining feature for members who want to pool their points, such as families.

“That’s non-negotiable,” said Du Broy who noticed that a stranger had linked their own PC Optimum card to his account at the time his points went missing.

“If somebody wants to add a household card to my account, I certainly better approve it.”

Loblaws told CBC News that the underlying problem causing the password reset glitch has been ‘locked down.’ (PC Optimum)

For at least a week now, PC Optimum’s “pool your points as a household” feature has been temporarily disabled.

Loblaws did not say whether this move is connected to the rash of thefts.

After CBC News contacted Loblaws, Du Broy got his stolen points back. He has set up a new PC Optimum account, convinced that’s the only way he can protect himself from future theft. 

SOURCE: CBC.ca

Leave a Reply